Manage certificates by Tiny CA on Ubuntu.



Current development status of TinyCA is unknown. XCA is recommended instead.


testca0

- Installation:


# sudo apt-get install tinyca
# tinyca2 &


- Create a new CA named TestCA:


Click an image to zoom in.

testca0

testca1

testca2


- Export a CA certificate in PEM-encoding:


Click an image to zoom in.

testca14



- Create and export a new certificate for gateway1.example.com(FQDN):


  1. Edit a TestCA's openssl.conf file to create a certificate including gateway1.example.com as a SubjectAltName(DNS/FQDN).

    2. # cd ~/.TinyCA/TestCA/
    # ls
    cacert.key certs index.txt newcerts openssl.cnf.org serial
    cacert.pem crl keys openssl.cnf req

    # cp openssl.cnf openssl.cnf.org
    # gedit openssl.cnf &


  2. Modify the subjectAltName line in the [server_cert] clause of the TestCA's openssl.cnf like this:
    3. [ server_cert ]
    basicConstraints = CA:FALSE
    nsCertType = server
    nsComment = "TinyCA Generated Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always
    issuerAltName = issuer:copy
    subjectAltName = DNS:gateway1.example.com
            Please see man 5 x509v3_config for more details about openssl.cnf.

           If you want to use a default setting (E-Mail address), you can skip this step.


  3. Create a certificate and a private key for gateway1.example.com.

    Select Create Key and Certificate (Server).

    4. Click an image to zoom in.

    testca3

    testca4

    testca5

    testca6


  4. Export the gateway1's certificate and private key and the CA's certificate to a PKCS#12 file.

    - File name: gateway1.example.com.p12
    - Export password: himitsu

    5. Click an image to zoom in.

    testca7

    testca8


  5. Restore the original openssl.cnf file.
    6. # cd ~/.TinyCA/TestCA/
    # rm openssl.cnf
    # mv openssl.cnf.org openssl.cnf



- Create and export a new certificate for remotehost1.example.com(FQDN):


  1. Edit a TestCA's openssl.conf file to create a certificate including remotehost1.example.com as a SubjectAltName(DNS/FQDN).

    2. # cd ~/.TinyCA/TestCA/
    # ls
    cacert.key certs index.txt newcerts openssl.cnf.org serial
    cacert.pem crl keys openssl.cnf req

    # cp openssl.cnf openssl.cnf.org
    # gedit openssl.cnf &

  2. Modify the subjectAltName line in the [client_cert] clause of the TestCA's openssl.cnf like this:

    3. [ client_cert ]
    basicConstraints = CA:FALSE
    nsCertType = client, email, objsign
    nsComment = "TinyCA Generated Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always
    issuerAltName = issuer:copy
    subjectAltName = DNS:remotehost1.example.com
    keyUsage = digitalSignature, keyEncipherment
    Please see man 5 x509v3_config for more details about openssl.cnf.

    If you want to use a default setting (E-Mail address), you can skip this step.

    Actually, Rockhopper doesn't distinguish types of certificate usage, so you can create a certificate for this node as a server certificate mentioned above.


  3. Create a new certificate and a new private key for remotehost1.example.com.

    Select Create Key and Certificate (Client).

    4. Click an image to zoom in.

    testca9

    testca10

    testca11


  4. Export the remotehost1's certificate and private key and the CA's certificate to a PKCS#12 file.

    - File name: remotehost1.example.com.p12
    - Export password: naisho

    5. Click an image to zoom in.

    testca12

    testca13


  5. Restore the original openssl.cnf file.
    6. # cd ~/.TinyCA/TestCA/
    # rm openssl.cnf
    # mv openssl.cnf.org openssl.cnf



- Revoke a certificate for remotehost20.example.com and export a CRL file:


  1. Revoke a certificate for remotehost20.example.com.

    Select remotehost20.example.com.

    2. Click an image to zoom in.

    testca15


    testca16


    testca17


  2. Export a new CRL(Certificate Revocation List) file in PEM-encoding.

    3. Click an image to zoom in.

    testca18


Back to Top